This paper presents a novel defense scheme for DDoS attacks that uses an image processing method. This scheme especially focused on the prevalence of adjacent neighbor spoofing, called subnet spoofing. It is rarely studied and there is few or no feasible approaches than other spoofing attacks. The key idea is that a “DDoS attack with IP spoofing” is represented as a specific pattern such as a “line” on the spatial image planes, which can be recognized through an image processing technique. Applying the clustering technique to the lines makes it possible to identify multiple attack source networks simultaneously. For the identified networks in which the zombie hosts reside, we then employ a signature-based pattern extraction algorithm, called a pivoted movement, and the DDoS attacks are filtered by correlating the IP and media access control pairing signature. As a result, this proposed scheme filters attacks without disturbing legitimate traffic. Unlike previous IP traceback schemes such as packet marking and path fingerprinting, which try to diagnose the entire attack path, our proposed scheme focuses on identifying only the attack source. Our approach can achieve an adaptive response to DDoS attacks, thereby mitigating them at the source, while minimizing the disruption of legitimate traffic. The proposed scheme is analyzed and evaluated on the IPv4 and IPv6 network topology from CAIDA, the results of which show its effectiveness.

The boundary of a distributed denial of service (DDoS) attack, one of the most threatening attacks in a wired network, now extends to wireless mobile networks, following the appearance of a DDoS attack tool targeted at mobile phones. However, the existing defense mechanisms against such attacks in a wired network are not effective in a wireless mobile network, because of differences in their characteristics such as the mobile possibility of attack agents. In this paper, we propose a proactive defense mechanism against IP spoofing traffic for mobile networks. IP spoofing is one of the features of a DDoS attack against which it is most difficult to defend. Among the various mobile networks, we focus on the Network Mobility standard that is being established by the NEMO Working Group in the IETF. Our defense consists of following five processes: speedy detection, filtering of attack packets, identification of attack agents, isolation of attack agents, and notification to neighboring routers. We simulated and analyzed the effects on normal traffic of moving attack agents, and the results of applying our defense to a mobile network. Our simulation results show that our mechanism provides a robust defense.

Effective counteraction to Distributed Denial-of-Services (DDoS) attacks is a pressing problem over the Internet. For this counteraction, it is considered important to locate the router interfaces closest to the attackers in order to effectively filter a great number of identification jammed packets with spoofed source addresses from widely distributed area. Edge sample (ES) based Probabilistic Packet Marking (PPM) is an encouraging method to cope with source IP spoofing, which usually accompanies DDoS attacks. But its fragmentation of path information leads to inefficiency in terms of necessary number of packets, path calculation time and identification accuracy. We propose Branch Label (BL) based PPM to solve the above inefficiency problem. In BL, a whole single path information is marked in a packet without fragmentation in contrast to ES based PPM. The whole path information in packets by the BL approach is expressed with branch information of each router interfaces. This brings the following three key advantages in the process of detecting the interfaces: quick increase in true-positives detected (efficiency), quick decrease in false-negatives detected (accuracy) and fast convergence (quickness).

We describe a scheme of secret communication over the Internet utilizing the potentiality of the TCP/IP protocol suite in a non-standard way. Except for the sender and the receiver of the secret communication it does not need any entities installed with special software. Moreover it does not require them to share any key beforehand. Such features of the scheme stem from the use of IP datagrams with spoofed source addresses and their related error messages for the Internet Control Message Protocol (ICMP) induced by artificial faults. Countermeasures against IP spoofing are deployed in various places since it is often used together with attacks such as distributed denial of service (DDoS) and SPAM mailing. Thus we examine the environment where the scheme works as an intention and also clarify the conditions to obsolete the scheme. Furthermore we estimate the amount of secretly communicated data by the scheme and storage requirements for the receivers and those for the observers who monitor the traffic to detect the very existence of such a secret communication. We also discuss various issues including the sender anonymity achieved by the scheme.